Description
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-01-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting via CSRF
Action: Patch Immediately
AI Analysis

Impact

The Royal Elementor Addons and Templates plugin suffers from a missing or incorrect nonce check in the wpr_filter_grid_posts() function, enabling unauthenticated attackers to submit forged requests that embed malicious scripts. When an admin clicks a crafted link or submits a form, the injected JavaScript executes in the admin’s browser session, potentially exposing session cookies or permitting further malicious actions. The weakness is identified as CWE‑352, a Cross‑Site Request Forgery flaw that results in reflected cross‑site scripting.

Affected Systems

The vulnerability affects the Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin in all builds up to and including version 1.7.1006. The impacted code resides in the wpr_filter_grid_posts() handler within the plugin’s class files.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate risk, while the EPSS score of less than 1% shows a low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog. Exploitation requires convincing a site administrator to click on a malicious link or submit a forged form, taking advantage of the absent or improperly validated CSRF token.

Generated by OpenCVE AI on April 22, 2026 at 07:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Royal Elementor Addons and Templates plugin to a version newer than 1.7.1006 as soon as a patch becomes available.
  • If an update cannot be applied immediately, deactivate the plugin or restrict its use to trusted administrators to prevent exposure of the vulnerable endpoint.
  • Verify that the wpr_filter_grid_posts() function performs proper nonce validation, or modify the code to add the missing nonce check if maintaining the plugin code.

Generated by OpenCVE AI on April 22, 2026 at 07:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1640 The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Title Royal Elementor Addons and Templates <= 1.7.1006 - Cross-Site Request Forgery to Stored Cross-Site Scripting Royal Elementor Addons and Templates <= 1.7.1006 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Tue, 14 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Jan 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Royal Elementor Addons and Templates <= 1.7.1006 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wproyal Royal Elementor Addons And Templates
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:00.238Z

Reserved: 2025-01-10T17:57:05.336Z

Link: CVE-2025-0393

cve-icon Vulnrichment

Updated: 2025-01-14T14:46:34.149Z

cve-icon NVD

Status : Received

Published: 2025-01-14T09:15:21.263

Modified: 2025-01-14T09:15:21.263

Link: CVE-2025-0393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses